Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07

Jean-Marc Valin <jmvalin@jmvalin.ca> Wed, 26 July 2017 05:09 UTC

Return-Path: <jmvalin@jmvalin.ca>
X-Original-To: codec@ietfa.amsl.com
Delivered-To: codec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BA8131E25 for <codec@ietfa.amsl.com>; Tue, 25 Jul 2017 22:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jmvalin-ca.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIZwYzYQ4Hye for <codec@ietfa.amsl.com>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87377124D68 for <codec@ietf.org>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id v205so44876598itf.1 for <codec@ietf.org>; Tue, 25 Jul 2017 22:09:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jmvalin-ca.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=ELXWcFC3aEetKRDGyQcYFgvLPz5cP4K/kHjSzq1MPoM=; b=XulfFnBse1iiwfc7UX0SPATFu+j1V8p40pxO0YOzz2z5mhFO3CsoK9Gn9tqBa6Xh32 Gj/GvVOkJDq4x0scz36OKjm7DAcr+GwlcS0WTgduNVNy5j1AVxkrlB3AJBVs2QHfh37d l5lSs+RSjyZOBj+UQT4lfLcHvozSNO7DEJQCVXo239TyEDA4G66qIubhwa94WCR44b7X unduLrffFML39Zj19pc9eVlaPaWspPEGmj/3V7ukAmESLMxtn6Wd5MWwSpD3kpjj7R6F ZE5Tc7oGhsR7rJPFqkYZknIZCbtal/Up+muhhO6U27fx8shfSJMTYZyVsqQVsGYY9qZM U0Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=ELXWcFC3aEetKRDGyQcYFgvLPz5cP4K/kHjSzq1MPoM=; b=B8kkhOsmSHecwUt8mjlUnkqwpVEHrFDZ/YS72gfxxMeavlWmU3+yFT9zjge1AkuZE/ MgnauNj1l+RH/YgdGP52SIwwWLgu1RWr5T6YRKctHxKo7SsCB7ccppV+JNLwFWblmeBx +r5Xe3qPPApBP757ilCrndV4CLE06kEHPDVYbnPCYb4ahPl7VDhEg+0SfivhTezP/Z4m GI7j1OaZDgfqHOYJAv2LHKX0Ia1WC4wRb749psdJXUpU3X+yMxcuqlqJyD/gt+o8Mleg lNc1WJt9PE07kqCaR3Q5xecqmfk9jfMlvtbs2SJ7KNn/qZUI2IzJEnZNpfomgT0w/BlA IuUQ==
X-Gm-Message-State: AIVw1131o3ukOxMC+K7EswnpQFKRGAeBmgfTlwenGpV5SsRiKuoFCulN MiGQQSrwbtKTQDBBSQk=
X-Received: by 10.36.160.4 with SMTP id o4mr13419617ite.157.1501045744691; Tue, 25 Jul 2017 22:09:04 -0700 (PDT)
Received: from panoramix.jmvalin.ca (modemcable067.31-56-74.mc.videotron.ca. [74.56.31.67]) by smtp.gmail.com with ESMTPSA id b83sm5759028iod.35.2017.07.25.22.09.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jul 2017 22:09:04 -0700 (PDT)
To: Ben Campbell <ben@nostrum.com>
References: <44ADD827-E40E-4BBE-91DB-EFFC249AA10E@nostrum.com> <3e689239-f217-2185-96e2-c6ae35b4d0f3@jmvalin.ca> <15358143-0339-4B75-A5FD-010D465DA603@nostrum.com>
Cc: draft-ietf-codec-opus-update.all@ietf.org, codec@ietf.org
From: Jean-Marc Valin <jmvalin@jmvalin.ca>
Message-ID: <747d9352-f3b0-56cd-0b2c-9945ba764178@jmvalin.ca>
Date: Wed, 26 Jul 2017 01:09:02 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <15358143-0339-4B75-A5FD-010D465DA603@nostrum.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/codec/9R-gcYWfalUcAu9v7-XzpHh6WzU>
Subject: Re: [codec] AD Evaluation of draft-ietf-codec-opus-update-07
X-BeenThere: codec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Codec WG <codec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codec>, <mailto:codec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codec/>
List-Post: <mailto:codec@ietf.org>
List-Help: <mailto:codec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codec>, <mailto:codec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 05:09:08 -0000

Just submitted version -08 addressing your last set of comments. See
below for details.

On 26/07/17 12:41 AM, Ben Campbell wrote:
> I suggest adding a sentence to the effect of the following after “…
> associated text description.”:
> 
> "That RFC includes the reference decoder implementation as Appendix
> A."

Done.

>> This document fixes two security issues reported on Opus and that 
>> affect the reference implementation in RFC 6716 [RFC6716]: CVE- 
>> 2013-0899 and CVE-2017-0381.  CVE-2013-0899 is fixed by Section 4
>> and could theoretically cause information leak, but the leaked 
>> information would at the very least go through the decoder process 
>> before being accessible to the attacker.  Also, the bug can only
>> be triggered by Opus packets at least 24 MB in size.  CVE-2017-0381
>> is fixed by Section 7 as far as the authors are aware, could not
>> be
> 
> Is there a missing word? It’s not clear if you mean to say that as
> far as the authors are aware it is fixed, or as far as the authors
> are aware it could not be exploited.

There was indeed a missing "and":

  CVE-2017-0381 is fixed by Section 7 and, as far as the authors
  are aware, could not be exploited in any way...

> Can you add some context about the CVEs, such as where they are
> reported and where they can be found?

Added links to the CVEs

> So, as I looked at the XML diff, I realize the emphasis is added
> using XML tags rather than by hand entering the underscores. So I may
> have been incorrect to say they have no meaning in the context of an
> RFC :-)   I think the text is still better without them, but do not
> have strong feelings if you prefer to keep them.

I agree that the underscores weren't adding much, so I'm leaving them out.

Cheers,

	Jean-Marc